Resilient Systems

IBM Resilient Incident Response Platform is an Incident Response Platform that collects and manages information about security related incidents and compromised personal identifiable data.

You can configure InsightIDR to send incident and alert data to the IBM Resilient platform.

Before You Begin

For on-premises customers, the Resilient Platform can accept data from other SIEMs, such as InsightIDR, in the form of “Threat Services,” which you can manage from the Threat Source Directory in the Resilient application. This requires the Security Module in your Resilient license.

In order to integrate InsightIDR as a Threat Service, ensure you have access to the following:

  • Master Administrator account
  • Command line access to the Resilient application
  • InsightIDR API Token and account name
  • Connection to an AWS Server

Once enabled, complete the following:

  1. Register the Threat Service
  2. Verify the Threat Service
  3. Add an Artifact
  4. Configure the Event Source

Register the Threat Service

The Resilient Platform is the user interface that you can use to make changes to your account and configurations. You can also access the platform to make changes through the Resilient appliance command line.

Complete the following steps in the command line to register InsightIDR as a threat service:

  1. Log in to the Resilient appliance using an SSH client.
  2. At the prompt, enter the following command:
1
$ sudo resutil threatserviceedit \
2
-name "InsightIDR" \
3
-resturl https://api.< InsightIDR api URL> /resilient/ \
4
-user <InsightIDR account name> \
5
-password <InsightIDR API Token>

It may take several moments before the command initializes.

  1. Once complete, test the connectivity with the following command: $ sudo resutil threatservicetest -name "InsightIDR".

A confirmation message will appear that reads “Successfully Connected to InsightIDR.”

Verify the Threat Service

  1. As the Master Administrator, log into the Resilient Platform interface.
  2. Select your username in the upper right corner and then select Administrator Settings > Threat Sources.
  3. At the bottom of the page, confirm that you see InsightIDR and that the toggle is set to ON.
  4. To turn off InsightIDR as a Threat Service, click the toggle to turn the connection off.

Add an Artifact

After you verify that the Threat Service is working, Resilient will perform an automatic “artifact lookup” each time an incident occurs from the Threat Service, or InsightIDR. An artifact is data that contextualizes an incident, such as a hash.

When an incident occurs in InsightIDR, Resilient will automatically add the alert details as artifacts. You can also add artifacts manually to the Resilient Platform. Read more about adding Resilient Artifacts here: https://www.ibm.com/support/knowledgecenter/en/SSBRUQ_28.0.0/com.ibm.resilient.doc/master_admin/resilient_m_admin_settings_artifacts.htm

Read more about adding artifacts from emails automatically with an IBM script: https://exchange.xforce.ibmcloud.com/hub/extension/4ba70106b6f2dfa77cb1e3c921db7ff5

Configure the data exporter

Although you are configuring InsightIDR to send its own data to the Resilient Platform, you must configure a data exporter to establish the connection between the two.

To configure the new data exporter in InsightIDR:

  1. From the left menu, go to Data Collection and click Data Exporters.
  2. Click Add Data Exporter.
  3. Select Resilient Systems as the Data Exporter Type.
  4. Choose your collector. You can also name your data exporter if you want.
  5. Enter the Hostname for Resilient server or the IP for your Resilient platform. Do not include the https:// prefix.
  6. Enter the HTTP Port of the API or the port that should accept incoming data.
  7. Select which types of data you want to export. You can send data for both Alerts and Investigations.
  8. Choose your Credentials or, optionally, create a new credential.
    • The Username should be the registered Resilient master administrator account.
  9. Enter the Password for the registered Resilient master admin account.
  10. Enter the Resilient Systems Organization ID. This is your Organization name in the form of a string.
    • If you have only one organization using Resilient, you can leave this field blank.
  11. Click Save.